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Description 



Method of Storing Data in a Random Access Memory, and an Encryption and Decryption De- 
vice 

This invention relates to a method of storing data in a random access memory, and to an 
encryption and decryption device. 

In order to ensure data security or to protect copyrights, a known approach is to store the 
data in encrypted form in a read-only memory (ROM), such as, for example, an EPROM, 
EEPROM, CD-ROM, DVD-ROM, etc. These data may relate to both data from executable pro- 
grams (program codes) as well as video or audio data. An approach is also known whereby video 
data or audio data are transmitted in encrypted form from a transmitting device to a receiving 
device. 

The objective is that the use of the encryption-stored or encryption-transmitted data is 
thereby enabled only for those users who have a corresponding decryption unit (decoder) with a 
"matching" key. 

Conventional encryption algorithms, such as, for example, the DES method (DES = Data 
Encryption Standard) or the AES method (AES = Advanced Encryption Standard) en- 
crypt/encode the data blockwise, wherein with the DES method, for example 64 data bits are 
encoded in one block. Since in this method the number of data bits contained in a data block is 
usually greater that the number of data bits of a data word processable by a processing unit, it is 
necessary to have the processing unit first store the data words obtained after decoding a data 
block in a random access memory (RAM) before these undergo further processing. 

These RAMs located externally to the processing unit represent a security risk insofar as 
there is a possibility that the encrypted data can be tapped along the link between the RAM and 
the processing unit. These data, for example video or audio data, can then be stored in unen- 
crypted form, thereby making them accessible to unauthorized use. 

If the data stored in the RAM happen to be the data of a program code, then there is the 
risk that the program flow may be determined by unauthorized persons. In addition, there is the 
risk that unauthorized program code may be fed into the unit executing the program in order, for 
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example, to provide additional functions which are not supposed to be provided by the author- 
ized program code. 

The goal of this invention is to provide a secure method of storing data in a RAM which 
does not have the afore-mentioned disadvantages and is implementable at low cost, as well as a 
device to encrypt/decrypt the data stored in a RAM. 

These goals are achieved by a method according to Claim 1 and by a device according to 
Claim 12. Advantageous embodiments of the invention are described in the subordinate claims. 

In the method according to the invention for storing data in a random access memory 
(RAM) in which data words are storable with a predetermined number of data bits, an encryption 
of each data word is effected before storage whereby a permutated data word with a predeter- 
mined number of data bits is generated from each data word, or from a data word derived from 
this data word, by one-to-one rearrangement/permutation of the individual data bits using a first 
permutation key. 

An advantageous aspect of this method is that the individual data bits of the permutated 
data word are substituted using a first substitution key before the storage, wherein the data word 
encrypted by permutation and subsequent substitution is stored in the memory. In this connec- 
tion, there is also the possibility of substituting the data bits of the data word to be encrypted 
before the permutation using a first substitution key, and of storing the data word obtained from 
the substitution and subsequent permutation as the encrypted data word. 

The encryption of the individual data words is preferably effected in the same chip in 
which the processing unit processing the data words is integrated. The data words transferred 
externally from this chip to the RAM memory for storage are provided in encrypted form in this 
method, and are thus protected against interference effects or unauthorized tapping of the data. In 
this method, the encryption is effected data word by data word, with the result that, unlike the 
case of blockwise encryption, no additional storage on the chip is required for the encryption or a 
decryption. 

The permutation or rearrangement of the individual data bits as determined by the permu- 
tation key represents an effective encryption method. Given a data word of 32 bit width, there are 
32!~2,6T0 35 different permutation possibilities. This number of permutation possibilities for a 
data word of 32 bit length increases by a factor of 2 32 when in addition to the permutation a sub- 
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stitution of the input data word, or of the already permutated data word, is effected using a sub- 
stitution key of 32 bit length. 

The substitution of a data word to be substituted is effected as determined by the substitu- 
tion key, for example by assigning a key bit of the substitution key to each data bit of the data 
word, wherein the respective data bit is mapped, in unchanged or inverted form as a function of 
the value of the assigned substitution key bit, to the data word resulting from the substitution. 

In one embodiment, the permutation key comprises a number of unique subkeys corre- 
sponding to the number of the data bits of the data word to be permutated, these keys each being 
assigned to a data bit of the data word resulting from the permutation. The individual subkeys 
indicate which of the data bits of the data word to be permutated is to be mapped to the respec- 
tive data bit to which the subkey is assigned. 

Each subkey of the permutation key here comprises a number of key bits, wherein pref- 
erably provision is made to implement incrementally the mapping of a data bit of the data word 
to be permutated to a data bit of the permutated data word using a subkey according to the fol- 
lowing steps: 

a) selecting a first group of data bits from the data bits of the permutated data word as de- 
termined by a first key bit of the subkey; 

b) selecting a second group of data bits from the first group of data bits obtained by the 
previous selection as determined by a second key bit of the subkey; 

c) repeating step b), each time using an additional key bit in order to select from the 
group obtained by the previous selection an additional group until the selected group comprises 
only one more data bit which corresponds to the data bit of the permutated data word. 

This type of incremental selection procedure to map a data bit of the data word to be 
permutated to a data bit of the permutated data word provides the advantage that no storage ele- 
ments are required to implement it. 

The permutation key, and possibly the substitution key, are regenerated before a new 
writing to the RAM memory, for example, after connection to a device containing the RAM 
memory. 

The substitution key, which comprises a number of substitution key bits, corresponding 
to the number of data bits is generated here by picking out a corresponding number of bits from a 
sequence supplied by a random number generator. 
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When generating the permutation key, care must be taken that the individual subkeys dif- 
fer so as to ensure a one-to-one assignment of a data bit of the data word to be permutated to a 
data bit of the permutated data word. In order to generate the individual sub-permutation-keys 
which are each assigned to a bit position of the permutated data word, and which together yield 
the permutation key, provision is made to generate a sub-permutation-key consecutively for each 
bit position of the permutated data word, and thereby to check whether the generated sub- 
permutation-key has already been generated for another bit position. If this sub-permutation-key 
has already been generated, it is rejected and a new sub-permutation-key is randomly generated 
for the given bit position. If the randomly generated sub-permutation-key does not yet exist, then 
this key is retained for the given bit position. This procedure repeats until to each bit position of 
the permutated data word one sub-permutation-key has been assigned for the selection of a data 
bit of the data word to be permutated. 

The decryption of the data words stored in the RAM is effected analogously to the en- 
cryption procedure. If in a two-step procedure comprising permutation and substitution the data 
word to be encrypted is first permutated and then substituted, then during decryption the en- 
crypted data word is first "back"-substituted using a second substitution key to undo the substitu- 
tion effected during encryption, and subsequently "back"-permutated using a second permutation 
key in order to undo the permutation effected during the encryption. 

If during encryption of the data word first a substitution and then a permutation is ef- 
fected, then during decryption the encrypted data word is first permutated using the second per- 
mutation key, then substituted in order to recover the original data word. 

Depending on the type of substitution used, the first substitution key can be selected in 
identical form to the second substitution key, for example, whenever the substitution consists in 
mapping the individual data bits unchanged or inverted as determined by the key bits of the sub- 
stitution key. 

The following employs embodiments to explain the invention in more detail based on the 

figures. 

Figure 1 shows an arrangement comprising an encryption and decryption arrangement 
which encrypts the data to be stored in a random access memory and which decrypts the data 
read out from the random access memory. 
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Figure 2 shows an embodiment of an encryption and decryption arrangement comprising 
an encryption unit, a decryption 
unit, a key generator, and a random number generator. 

Figure 3 shows an embodiment of an encryption arrangement which comprises a permu- 
tation unit and a substitution unit. 

Figure 4 schematically illustrates the structure of a permutation unit which comprises se- 
lection units. 

Figure 5 shows an embodiment of a selection unit which comprises multiple selection 
stages with selection switches. 

Figure 6 illustrates the functional principle of a selection unit for a data word of 8 bit 

width. 

Figure 7 shows the circuit-logic-implemented embodiment of the selection switches 
shown in Figure 5. 

Figure 8 schematically illustrates an embodiment of the substitution unit shown in Figure 
3, the substitution unit comprising multiple substitution elements. 

Figure 9 illustrates a possible embodiment of the substitution elements shown in Figure 8. 

Figure 10 illustrates the construction of the permutation key from subkeys and key bits, 
and the construction of the substitution key. 

Figure 1 1 illustrates the complete structure of a permutation unit for an encryption unit as 
indicated in Figure 2 for data words of 4 bits. 

Figure 12 shows the permutation unit corresponding to the permutation unit shown in 
Figure 1 1 for use in a decryption unit as indicated in Figure 2. 

Figure 13 schematically illustrates the structure of an internal memory, provided in the 
key generator, to store a first permutation key for the encryption and a second permutation key 
for the decryption. 

Unless otherwise indicated, identical reference notations in the figures denote compo- 
nents and signals of identical meaning. 

Figure 1 shows a random access memory (RAM) 20 which is designed to store data 
words of n-bit length. Memory 20 has an input 21 to read in data words to be stored, and an out- 
put 22 to read out stored data words. Not shown in Figure 1 are the required control wires 
through which the memory addresses are communicated to the memory, at which addresses the 
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individual data words are to be stored or from which addresses the individual data words are to 
be read out. 

Processing of the data words read into memory 20, or read out of this memory, is effected 
in a data processing unit 30, for example, a processor. Depending on the type of this processor, 
the data words stored in memory 20 are, for example, data words of a program code which is 
executed by the processor, or data words of video or audio data which are moved by processor 
30 through suitable output units in order to be perceived. 

Data processing unit 30 and memory 20 are not integrated on a common chip, as indi- 
cated in Figure 1 by the broken line between data processing unit 30 and memory 20. In order to 
prevent any "wiretapping" of or interference with data communication between data processing 
unit 30 and memory 20, an encryption and decryption unit 10 is provided between data process- 
ing unit 30 and memory 20 on the same chip on which data processing unit 30 is located. This 
device 10 encrypts data words M outputted by data processing unit 30 so as to provide encrypted 
data words M' which are stored word-by- word in memory 20. In the reverse direction, device 10 
decrypts data words M' stored in encrypted form in memory 20 in order to recreate the original 
data word processable by data processing unit 30. In Figure 1 and subsequently, M denotes an 
arbitrary unencrypted data word of length n, while M' denotes an arbitrary encrypted data word 
of length n generated by encrypting a data word M. 

Figure 2 schematically illustrates the structure of this encryption and decryption device 
10. The device shown comprises an encryption unit 1 1 which has an input of n-bit width to sup- 
ply an unencrypted data word M, and an output 1 1 1 to output an encrypted data word M\ En- 
cryption of data word M is effected as determined by a first key C which is provided by a key 
generator 13. For the purpose of supplying this first key C, a binary random sequence RS is fed 
by a binary random number generator 12 to key generator 13. 

Device 10 further comprises an encryption unit 1 1 ' with an input 1 10' to supply an en- 
crypted data word M' of n-bit width, and an output 1 1 1' to supply the decrypted data word M 
generated from encrypted data word M'. The decryption is effected as determined by a second 
key C which is matched to first key C and which is also provided by key generator 13. 

The decryption unit maps the data word using first key C uniquely to the encrypted data 
word M', wherein: 
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M' = E(M,C) (1), 

where E stands for the encryption function implemented by encryption unit 1 1 . Analo- 
gously: 

M = D(M',C') (2), 

where D stands for the decryption function implemented by decryption unit 11'. 

Figure 3 schematically illustrates an embodiment of encryption unit 1 1 which in the ex- 
ample comprises a permutation unit 14 and a substitution unit 15. Permutation unit 14 has inputs 
to supply the individual data bits M[n-1]...M[0] of data word M, and outputs to supply data bits 
Mp[n-1], Mp[k], Mp[0] of a permutated data word Mp. The individual data bits Mp[n-l]...Mp[0] 
of permutated data word Mp result from the data bits M[n-1]...M[0] of data word M by permuta- 
tion/rearrangement as determined by a permutation key P. The permutation here is effected on a 
one-to-one basis, that is, one data bit each of unencrypted data word M is mapped to one data bit 
of permutated data word Mp. 

In the example, data bits Mp[n-l]...Mp[0] of permutated data word Mp are then substi- 
tuted by a substitution unit 15 as determined by a substitution key S, wherein substitution unit 15 
provides the data bits of encrypted data word M'. As determined by substitution key S, one data 
bit each of permutated data word Mp is mapped by substitution unit 15 to one data bit M'[n- 
1]...M'[0] of encrypted data word M'. 

The following explains the structure and the functional principle of permutation unit 14 
based on Figures 5 through 7. Next, the structure and functional principle of substitution unit 15 
will be explained based on Figures 8 and 9. 

With reference to Figure 4, permutation unit 14 has a number of selection units 14_n- 
1 ...14_0 corresponding to the number of data bits of the data word to be encrypted M, wherein 
all the data bits M[n-1]...M[0] of data word to be encrypted M are supplied to each of these se- 
lection units, and wherein the individual selection units 14_n-1...14_0 each provide a data bit 
Mp[n-l]...Mp[0] of the permutated data word Mp. Mapping of one of the data bits of unen- 
crypted data word M to one of the data bits of permutated data word Mp is effected in selection 
units 14_n-1...14_0 as determined by sub-permutation-keys P[n-1], P[k], P[0]. Each of these sub- 
permutation-keys differ in order to map each of the data bits of input data word M exactly once 
to a data bit of permutated data word Mp. The sub-permutation-keys together produce the per- 
mutation key, where: 
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P = (P[n-l],...P[0]). 

The individual selection units 14_n-1...14_0 are structured identically, the structure of a 
random one of these selection units, here selection unit 14_k, being explained below based on 
Figure 5. 

This selection unit 14_k provides the data bit Mp[k] from the data bits M[n-1]...M[0] of 
data word M as determined by sub-permutation-key P[k]. This sub-permutation-key comprises m 
key bits P[k,m-l]...P[k,0]. 

Selection unit 14Jc comprises multiple selection stages 141_0...141_m-l. All the data 
bits of input data word M are supplied to a first selection stage 1410. As determined by a first 
key bit P[k,0] of sub-permutation-key P[k], this first selection stage 1410 selects a first group of 
data bits which are supplied to a second selection stage 141_L As determined by a second key 
bit P[k,l], second selection stage 141_1 generates from this first group a second group which is 
supplied to the third selection unit 1412. 

In the example shown, reduction of the data bits present in the respective groups is ef- 
fected from selection stage to selection stage by a factor of 2, such that after m = log2(n) selec- 
tion stages only one data bit is left which corresponds to data bit Mp[k] of permutated data word 
Mp. In this example in which n = 32 = 2 5 , there are thus m = 5 selection stages. 

In the example, each of the selection stages comprises a number of selection switches 
142, to which two data bits each of a data group are supplied, and which, as determined by a 
permutation key bit, select one of the two data bits and pass it on to the next selection stage. 

The supply of the individual data bits to the selection switches of the given selection 
stage is effected such that two data bits each are supplied to a selection switch, which data bits 
have successive bit positions in relation to the group from which the given selection stage has 
made a selection. In the example of Figure 5, the respective higher-order bit is supplied to a first 
input INI, while the respective lower-order bit is supplied to a second input IN2, of the given 
selection switch 142. In the example shown, given a key bit "1", the bit applied at input INI, that 
is, the higher-order bit, is passed to output OUT1, and thus to the next selection stage. 

The functional principle of the selection stage shown in Figure 5 is explained below 
based on an 8-bit-wide data word M in Figure 6. From these 8 data bits M[7]...M[0], one is se- 
lected to generate data bit Mp[k] of the permutated data word. The first key bit P[k,0] of subkey 
P[k] has a value of 1 so that out of two data bits that are consecutive in terms of significance the 
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higher-order one is selected, thus yielding a first group with data bits M[7], M[5], M[3], M[l]. 
Out of each two consecutive, in terms of their significance, data bits, that is, data bits M[7], M[5] 
and M[3], M[l], one data bit each is selected as determined by the second key bit P[k,l]. In the 
example, this key bit is "0", so that in each case the lower-order one of the two data bits is se- 
lected, that is, data bits M[5], M[l]. Out of this resulting additional group of data bits, one, in this 
case the higher-order one or data bit M[5], is selected as determined by the third key bit P[k,2] in 
order to generate data bit Mp[k] of the permutated data word. 

If one arranges the data bits in each of the selection groups as a function of their signifi- 
cance, and out of two adjacent ones in terms of their significance given a key bit "1" one selects 
the higher-order data bit, and given a key bit "0" one selects the lower-order one of these two 
data bits, then the value of the bit position of the selected data bit, in this case of data bit M[5], 
corresponds to the decimal equivalent of subkey P[k], as explained below: 

If one views subkey P[k] as a binary numerical sequence, the most significant bit (MSB) 
of which is generated by the key bit P[k,m-1] of the last selection stage, and the least significant 
bit (LSB) of which is generated by key bit P[k,0] of the first selection stage, then the decimal 
equivalent of this binary sequence, in this case lOh = 5 10, corresponds to the bit position of data 
bit M[5] selected from data word M. 

A circuit-logic implementation of one embodiment of one of the selection switches 142 is 
shown in Figure 7. In order to implement the described selection function, the selection switch 
comprises two AND gates, AND1, AND2, the outputs of which are supplied to an OR gate OR1, 
wherein the output of this OR gate forms the output OUT1 of the selection switch. One each of 
inputs INI, IN2 to supply the data bits is supplied to one of the AND gates AND1, AND2. The 
other input of the AND gate AND1 is coupled to the third input IN3 to supply a key bit, wherein 
this key bit is supplied in inverted form through an inverter IN VI to the other input of AND gate 
AND2. When a logical "1" is applied at the third input IN3, the data bit applied at first input INI 
is passed through the first AND gate bit AND1 and OR gate OR1 to output OUT1 . Given a logi- 
cal "0" at the third input IN3, the data bit at second input IN2 is accordingly passed through sec- 
ond AND gate AND2 and OR gate OR1 to output OUT1 . 

With reference to Figure 8, substitution unit 1 5 comprises a number of substitution ele- 
ments 15_n-1...15_0 corresponding to the number of data bits, one data bit of the data word to be 
substituted being supplied to each of the elements; in the example of Figure 3, that of permutated 
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data word Mp. The key S, on the basis of which the substitution is effected, comprises n key bits 
S[n-l]...S[0], wherein one of these key bits S[n-l]...S[0] is supplied to each of the substitution 
elements. Substitution elements 15_n-1...15_0 are designed, as determined by the respective sub- 
stitution key bit S[n-l]...S[0], to output in unchanged or inverted form the data bit Mp[n- 
l]...Mp[0] supplied to the respective substitution element 15_n-1...15_0. 

A circuit-logic implementation of an embodiment of this substitution element is shown in 
Figure 9. The substitution element 15_k comprises a first and second AND gate AND3, AND4, 
and an OR gate OR2 connected following AND gates AND3, AND4, at the output of which OR 
gate the substituted data bit is provided. The substituted data bit is supplied to the substitution 
element through a first input IN4, and this data bit is supplied in inverted form by a first inverter 
INV2 to first AND gate AND3, and in unchanged form to second AND gate AND4. The respec- 
tive substitution key applied at a second input INS of the substitution element is supplied to first 
gate AND3 in unchanged form, and to second AND gate AND4 in inverted form by a second 
inverter INV3. This arrangement ensures that given a substitution key bit "1" the data bit applied 
at first input IN4 is provided in inverted form, and given a substitution key bit "0" this data bit is 
provided in unchanged form at output OUT2. 

In the embodiment of Figure 3, the encrypted data word M' is generated from unen- 
crypted data word M by permutation and subsequent substitution of data word Mp resulting from 
the permutation. It is of course understood that it is also possible first to substitute data word M 
using substitution key M, and then to permutate the resulting substituted data word using permu- 
tation key P in order to arrive at the encrypted data word M\ 

The determining factor for the efficacy of an encryption system is the number of different 
possible keys. In the example described, key C to encrypt data word M is composed of permuta- 
tion key P and substitution key S. Permutation key P comprises a number of subkeys correspond- 
ing to the number of data bits, the length of the subkeys being defined by m=log2(n). With refer- 
ence to Figure 10, the permutation key can be viewed as a vector with n subkeys P[n-l]...P[0], or 
as an n x m matrix of individual subkey bits P[n-l,m-l]...P[0,0]. For data words of length n=32, 
the permutation key comprises 32 different subkeys P[n-l]...P[0], thereby resulting in 32! differ- 
ent key combinations. Given that for substitution key S there are 2 n available possibilities, then 
for the number N possible keys C for data words to be encrypted of length n=32 the result is: N = 
(32!>2 32 . 
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Substitution key S for encryption and decryption can easily be generated as part of a bi- 
nary random sequence. 

A method of generating the permutation key is explained below for a data word of length 
n=4 bit based on Figures 1 1 through 13. 

Figure 1 1 first shows a permutation unit 14 to generate permutated data word Mp from 
data word M with n=4 selection units 14 3, 14 2, 141 , 14_0 which are each of two-stage form 
(m=log24=2). 

Figure 12 shows a second permutation unit corresponding to permutation unit 14 of Fig- 
ure 1 1 which functions to undo the permutation effected by first permutation unit 14 as it de- 
crypts the data word in the decryption unit (1 1 in Figure 3). This second permutation unit 14 ! is 
identical to first permutation unit 14 in structure and comprises four selection units 14 f _3, 14 f _2, 
14'_1, 14'_0. Each of these selection units 14'_3 ... 14'_0 functions to map one of data bits 
Mp[3]...Mp[0] of permutated data word Mp back to one of data bits M[3]...M[0] of original data 
word M. This selection of one of the data bits in individual selection units 14'_3...14 f _0 is ef- 
fected in each case as determined by subkeys P'[3]... P'[0] of a second permutation key P', 
wherein in the example shown P f =(P'[3], P'[2], P'[l], P ? [0]), the individual subkeys P'[3]...P'[0] 
each comprising two subkey bits P'[3,l]...P f [0,0]. 

The generation of subkeys P[3]... P[0] of first permutation key P and of the associated 
subkeys P f [3]...P f [0] of second permutation key P f is explained below based on Figure 13. 

To generate the first and second permutation keys P, P ? , the key generator (13 in Figure 2) 
comprises a first and second key memory 131, 13 T, as well as an assignment register 1 132. Key 
memories 131, 131' are each designed to store n subkeys of key width m=log2(n). Given n=4, 
four subkeys of length 2 are storable in each key memory. Assignment of the subkeys stored in 
first key memory 131 to selection units 14_3...14_0, and thus to the individual data bits of per- 
mutated data word Mp, is effected through the address of key memory 131 which is addressable 
line-by-line and which in the example comprises n=4 lines. The memory address of a subkey in 
this first memory 131 corresponds here to the bit position of the data bit of the permutated data 
word to which the respective key is assigned. A subkey P[k] at the memory address k of key 
memory 131 is thus assigned to the k th data bit Mp[k] of permutated data word Mp, where k 
represents one of the possible line addresses 0...n-l of the memory. 



1 This is later called "assignment memory 132 and, in the list of reference numbers, "selection register." Translator. 
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Assignment of subkeys P'[3]...P'[0] of second subkey P' to selection units 14* 3 ... 14'_0 
or to data bits M[3].. .M[0] of the original data word is effected analogously. That is, subkey 
P'[k] stored at memory position k of second key memory 131' is assigned to selection unit 14 ? _k 
and determines which of the data bits of permutated data word Mp is to be mapped to data bit 
M[k] at the k** 1 position of data word M. 

Generation of subkeys P[3]...P[0] of the first permutation key and of second subkeys 
P'[3]...P'[0] is effected in a mutually matched fashion by a procedure which is explained below. 

The subkeys of first permutation key P are generated consecutively as random binary se- 
quences of length m=2 using the function generator 12 shown in Figure 2. As explained, the in- 
dividual subkeys must differ from one another in order to obtain a one-to-one assignment of the 
data bits of data word to be permutated M to the data bits of permutated data word Mp. In the 
example described based on Figures 1 1 and 12, there are n=4 different subkeys which can be 
assigned randomly to the four selection units. 

One memory position of assignment register 132 is assigned to each of the possible dif- 
ferent subkeys, in this case, "11", "10", "01", "00", wherein a predetermined value is entered in 
the assignment register at the respective position if the assigned subkey has already been gener- 
ated at a memory position of memory 131, and thus for one of selection units 14_3...14_0, so as 
to avoid again generating the same key at a different memory address, and thus for another selec- 
tion unit 14_3...14_0. 

In the example, the assignment of a certain one of the possible subkeys to a memory ad- 
dress of assignment register 132 is effected by directly mapping the value represented by the 
subkey to the address of the memory position of mapping memory 132. For example, the mem- 
ory position 102=2 of assignment memory 132 is thus assigned to a subkey "10". If P[k]=w n -i ... 
wo applies for a subkey, then for the address assigned to this subkey: 



W = 




In order to generate the permutation key, the respective subkeys are randomly generated 
consecutively for the individual memory addresses of first permutation key memory 131, 



mifl09 



13 



wherein after generation of a given subkey a determination is made based on examination of the 
assignment register whether such a subkey has already been generated. If such a subkey has al- 
ready been generated, the subkey is rejected and a new subkey is randomly generated. This pro- 
cedure is repeated until subkeys have been generated for all the memory positions, and thus for 
all the selection units of permutation unit 14. 

When one of the possible subkeys is generated for the first time, a certain value, for ex- 
ample a "1," is entered at the memory address, assigned to this key, of assignment memory 132. 
If this subkey is randomly generated once again for another memory position of memory 131, 
this is detected in assignment memory 132 based on the value entered, and the subkey is rejected 
for this different memory position. 

As explained above, the binary value of a subkey P[3]...P[0] which is assigned to a selec- 
tion unit 14_3...14_0 or to a data bit Mp[3]...Mp[0] of permutated data word Mp corresponds to 
the data position of the data bit M[3]...M[0] of the input word M selected by the respective selec- 
tion unit. Accordingly, subkeys P f [n-l]...P ! [0] of second permutation key P ! each indicate which 
of the data bits of permutated data word Mp is to be mapped to data bit M[3]...M[0] to which the 
respective subkey is assigned. 

If the general condition applies that a subkey P[k] assigned to the k th data bit Mp[k] of 
permutated data word Mp maps the i th data bit M[i] of the permutated data word to this data bit 
of permutated data word Mp, then, conversely, the subkey P'[i] assigned to the i th data bit must 
map the k th data bit of permutated data word Mp to this data bit. 

Second key memory 13 T is organized analogously to first key memory 131, that is, the 
addresses at which the individual subkeys P'[n-l]...P'[0] are stored correspond to the bit positions 
of the data bits M[n-1]...M[0] to which the individual subkeys are assigned. 

In order to generate a matching subkey of second permutation key P' for a randomly gen- 
erated subkey P[k] of first permutation key P, which subkey is assigned to the k th data bit of per- 
mutated data word Mp, the address value k of first subkey P[k] is entered at the address in sec- 
ond key memory 13T, the value of which corresponds to the binary value i represented by the 
first key. In other words, for P[k]=i, P'[i]=k. 

Generation of the first and second permutation keys can be described by the following 
algorithm: 

Line 1 : FOR k = (n-1) DOWNTO 0 
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Line 2: Fetch random number from generator and compute i 
Line 3: Check if MapReg (i) = 1, if true, go to Line 2 
Line 4: Set MapReg(i) = 1 
Line 5: Set o_store(k) = i 
Line 6: Set i_store(i) = k 
Line 4: NEXT k. 

MapReg(i) here represents the value at address k of the assignment register. The expres- 
sion o_store(k) represents the value at address k of the first memory, while i_store(i) represents 
the value at address i of second memory 131\ 

As explained above, the permutation effected during encryption and analogously during 
decryption is augmented by a substitution as determined by a substitution key. This substitution 
can be effected either before the permutation or after the permutation, the procedure being ef- 
fected in the reverse order during the decryption. If during encryption the substitution is effected 
after the permutation, then during decryption the re-substitution is effected before the permuta- 
tion. During the above-described substitution in which, as determined by the substitution key 
bits, the respective assigned data bit is passed on either inverted or unchanged, the same substitu- 
tion key used during decryption is used during encryption. 
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List of reference notations 



AND1-AND4 AND-gate 

C,C key 

INI -INS inputs 

INV1,INV2 inverter 

M data word 

M[n-1]... M[0] data bits 

M'[n-1]...M'[0] data bits of an encrypted data word 

Mp[n-1 ]...Mp[0] data bits of a permutated data word 

ORl,OR2 OR-gate 

OUTl,OUT2 outputs 

P permutation key 

P[n-l]...P[0] subkey of a permutation key 

S substitution key tes 2 

1 0 encryption and decryption unit 

1 1 encryption unit 
IT decryption unit 

13 key generator 

1 4 permutation unit 
1 4_n- 1 ... 1 4 J) selection unit 

1 5 substitution unit 

1 5_n- 1 ... 1 5_0 substitution units 

20 random access memory, RAM 

20 random number generator 

21 input of the RAM 

22 output of the RAM 
30 data processing unit 

1 1 0 input of the encryption unit 

1 1 0' input of the decryption unit 



2 Translators note: this does not appear to belong. 
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111 

111' 

112 

112' 

131 

131' 

132 

141_n-l... 141_0 
142 



output of the encryption unit 
output of the decryption unit 
key input of the encryption unit 
key input of the decryption unit 
first permutation key memory 
second permutation key memory 
selection register 
selection stages 
selection switch 



